Cybersecurity researchers are warning of a dangerous security trend in which phishing attacks combined with flaws in OAuth authentication tokens are being exploited to compromise Microsoft 365 accounts and other cloud services — even bypassing traditional defences. The findings highlight how attackers are chaining seemingly minor web vulnerabilities with sophisticated phishing tactics to evade detection and gain persistent access to sensitive accounts.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
How OAuth and Phishing Are Being Abused
Modern web applications use OAuth 2.0 tokens as trusted credentials that allow services to access users’ accounts without requiring passwords — for example, when logging into apps via “Continue with Microsoft” or “Login with Google.” These tokens act like keys: whoever holds them can access the associated account until they are revoked.
However, attackers have developed methods to exploit OAuth flows through phishing and token manipulation that bypass standard security defences:
Malicious phishing emails now leverage legitimate features in OAuth authentication to trick users into granting access tokens to attacker-controlled applications. Once a token is granted, the attacker can use it to access email, files, calendars and other cloud resources.
By chaining small web flaws such as newsletter signup forms or password-reset endpoints with email spoofing, attackers can force legitimate infrastructure to send malicious messages that pass authentication checks (like SPF and DMARC) — making them land in the victim’s main inbox instead of being filtered out.
In some campaigns, attackers trick users into authorizing device codes or OAuth prompts that appear to come from trusted domains (e.g., Microsoft’s official login pages). Entering these codes — often disguised as one-time passwords — grants an OAuth token automatically, which then gives unauthorized access.
Once an OAuth token is issued, traditional protections like changing passwords or enabling multi-factor authentication (MFA) do not automatically revoke the token. The attacker can maintain access until the token is manually revoked or expires. Experts warn this can lead to full account takeovers and lateral movement within corporate environments.
These attack methods effectively blur the line between phishing and abuse of trusted authorization mechanisms, making it harder for standard security tools to distinguish malicious activity from legitimate user behaviour.
OAuth Device Code and Token Abuse: A New Phishing Frontier
Recent campaigns have shown how threat actors are weaponising OAuth device code flows, a feature originally designed for devices with limited input abilities. Instead of stealing passwords, adversaries send phishing messages with URLs or QR codes that initiate an OAuth grant on a legitimate login page. When victims enter the displayed code — believing it to be safe — attackers receive the OAuth access token tied to their account.
This method has several dangerous characteristics:
- It bypasses multi-factor authentication and password resets because the token is granted through OAuth consent, not traditional login credentials.
- Because the authentication occurs on official domains, common phishing filters and email security systems often fail to flag these attacks.
- Attackers can use these tokens to take over Microsoft 365 accounts, steal sensitive data, move laterally within an organization, and persist for long periods if tokens are not revoked.
- Proofpoint and other researchers have observed multiple threat groups — from financially motivated actors to state-linked adversaries — using these sophisticated OAuth phishing techniques to target a wide range of victims.
Why OAuth Token Flaws Matter
OAuth token abuse represents a paradigm shift in account compromise tactics:
- Traditional phishing often relies on fake websites and credential harvesting. With OAuth phishing, attackers exploit legitimate login and consent flows that users trust, making detection much more difficult.
- OAuth tokens can grant access without ever exposing user passwords, meaning typical password protection (including MFA) may not protect against this class of attack.
- Token persistence — in some cases valid for extended periods — can allow attackers to maintain long-term access unless they are explicitly removed.
- Researchers point out that relying solely on password security or standard MFA will not stop these threats: token governance, vigilant monitoring of consented applications, and automated revocation of suspicious OAuth tokens are essential to prevent unauthorized access.
What Organizations Must Do
To defend against OAuth token and phishing threats, cybersecurity experts recommend:
- Strict monitoring of OAuth consent grants and reviewing all third-party apps authorized to access corporate accounts.
- Conditional Access policies that limit which OAuth flows are permitted and restrict token issuance based on device compliance, location and user role.
- User training and awareness to recognise when OAuth consent prompts might be malicious — even if they appear on legitimate domains.
- Automated token revocation processes when suspicious or unexpected authorizations are detected.
- Regular audits of OAuth applications and their permissions to ensure that only necessary scopes are granted.
- By elevating OAuth token management as a core security priority, organizations can reduce the risk of account takeovers and limit the blast radius when phishing campaigns exploit trusted authentication mechanisms.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
